About This Constellation ShortList™
While often tracked as distinct platforms, Enterprise Risk Management and Governance, Risk, and Compliance (GRC) platforms have been overlapping more and more in recent years as policy, risk, regulatory, safety and compliance tracking has become a combined top-level function in most publicly traded companies and many private firms as well. This trend is especially important as new regulatory regimes, such as GDPR, have become top compliance concerns.
The industry is currently at a crossroads with today’s industry solutions for ERM and GRC, which are moving out to the public cloud and becoming easier to use. Yet, many specialized legacy and emerging vendors only address particular segments and scenarios or focus on key IT or business functions. These can range widely from policy management suites for guiding global corporate strategy and content management of risk data to reporting on compliance posture and conducting automated audits for identifying and managing IT vulnerabilities.
As a result, a mix of old and new ERM/GRC platforms exist today with very different capabilities and sensibilities, with few covering every type of feature. However, many are increasingly heading in the direction of becoming comprehensive suites with some already offering robust feature sets. Given the wide variety of capabilities represented by ERM/GRC products, buyers should be prepared to carry out detailed comparisons of the many different features and capabilities when comparing vendors to ensure their needs will actually be met.
Constellation considers the following criteria for these solutions, taking into account capabilities from stablethird-party marketplace providers if required:
- Ability to track key ERM/GRC data types (e.g., policies, risks, controls, procedures) in an integrated data model or document framework
- Features to carry out audits, risk assessments, and collect evidence
- Robust reporting and analytics with common ERM/GRC templates
- Effective training and education materials for users and admins
- Ability for most key ERM/GRC features to be configured (as opposed to customized)
- Support for Active Directory and HRM integration
- Workflow management capabilities for common ERM/GRC tasks
- Vendors with a sufficient customer base and revenue for stability
The Constellation ShortList™
Constellation evaluates over 50 solutions categorized in this market. This Constellation ShortList is determined by client inquiries, partner conversations, customer references, vendor selection projects, market share, and internal research.
- RSA Archer Platform
- LockPath Keylight
- MetricStream Enterprise GRC
- NAVEX Global Ecosystem
- Reciprocity ZenGRC
- Refinitiv GRC
- Resolver GRC Cloud
- SAI Global Compliance 360
- ServiceNow GRC
Frequency of Evaluation
Each Constellation ShortList evaluation will be updated every 180 days as needed.
If you would like to put our extensive expertise in vendor selections and contact negotiations to work for you, please contact us at ShortList@constellationr.com.